Saturday, May 13, 2017

Honeypots and the French election

NOTE: this post is primarily a reprint of other sources. I credit them of course. I just wanted to get the information in one place for quick reference. The main points that cannot be reasonable disputed are:
- There was some sort of attack on the Macron presidential election campaign targeting email and documents.
- The tech savvy Macron folks had prepared in advance with a honeypot strategy that was at least partially effective
- Many indicators are Russian in nature with Fancy Bear/APT28 at the top of the list, however, Forbes was wise to bring attribution into question. I have worked on attribution in one manner or another for fifteen years and there is a real risk of drawing an incorrect conclusion.

An article published by Ars Technica describes the Russian attempt to influence the French presidential election. "The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron's campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information.
"We created false accounts, with false content, as traps," Macron campaign digital director Mounir Mahjoubi told the Times. "We did this massively, to create the obligation for them to verify, to determine whether it was a real account."

In their haste, they left tailtale signs of their identity, "According to a Trend Micro report on April 25, the Macron campaign was targeted by the Pawn Storm threat group (also known as "Fancy Bear" or APT28) in a March 15 "phishing" campaign using the domain The domain was registered by a "Johny Pinch" using a webmail address. The same threat group's infrastructure and malware was found to be used in the breach of the Democratic National Committee in 2016, in the phishing attack targeting members of the presidential campaign of former Secretary of State Hillary Clinton, and in a number of other campaigns against political targets in the US and Germany over the past year."

Forbes, however cautions the evidence is not conclusive, "And, Doman told me, he had not seen "anything definitive" linking the two phishing domains found by Trend Micro and the Macron dump, "though it seemed likely."
Muddying the waters even further is the fact that En Marche's digital lead Mounir Mahjoubi indicated to French press Macron's campaign may have put its own fake data on its servers as part of a "honeypot," set up to attract hackers and trick them into pilfering tagged data. Typically, honeypots are used as traps to track attackers' activities."

Attribution is, and will always be, one of the most challenging problems of cybersecurity response. The folks that are willing to say "probably" as opposed to "surely" are to be congratulated.

This operation will certainly add credibility to Macron's emphasis on cybersecurity and tech for France and his efforts to combat extremism. "French presidential candidate and frontrunner Emmanuel Macron said on Monday he would step up efforts to get technology firms such as Google or Facebook to share encrypted content from messaging services with authorities."

"With an eye on the Elysée Palace, Mr Macron has been only too happy to associate himself with France’s burgeoning tech scene, hoping its open-mindedness and can-do attitude would reflect back on him. When he was economy minister he hastily organised a glitzy reception for him and French entrepreneurs at the Consumer Electronics Show in Las Vegas in 2016. Prosecutors are probing irregularities in the way the party was organised, although the investigation does not involve him.
As economy minister in a socialist government he enthusiastically backed a government initiative to promote the country’s tech ecosystem under a single brand at home and abroad. “Macron has been a strong advocate for the French tech scene,” says Frederic Mazzella, co-founder of ride-sharing company BlaBlaCar."

Monday, April 17, 2017

Brett Whittaker - looking for cyber job Augusta GA Area

Brett Scott Whittaker
                                                               529 Waterford Dr    
Evans, GA 30809
(410) 979-9493 (410) 672-0637

OBJECTIVE:  Seeking a position within the Development or Computer Network Operations (CNO) communities that is commensurate with my experience, challenging in scope, and dynamic in opportunity.


·      Software Development
·      Cyber Operation Instruction
·      Network Analysis
·      Network Operations
·      Intelligence Analysis
·      Digital Forensics
·      Training Management
·      Top Secret/SCI Clearance

Aug 2015 – Apr 2017: Exploit Development Instructor and Training Content Author
·      Professionally instructed hundreds of students in exploit development on linux and windows platforms so they may better defend against the techniques.
·      Authored & built Reverse Engineering courseware that demonstrated virtual memory, stack operations and registers to meet DoD Cyber contract demands.
·      Created professional training materials on modern & legacy encryption techniques for multi-million dollar government contract fulfillment.
·      Utilized gdb and Immunity debuggers to analyze software and develop buffer overflows to defeat ASLR, DEP, stack canaries & cookies for demonstration.
·      Crafted & taught Python scripts to automate analysis and launch remote exploits.
·      Built and demonstrated web exploits to include SQL Injection, Cross Site Scripting, Authentication and Session Management, and others.
·      Trained students on the Metasploit framework to enable exploit communications.
·      Educated DoD cyber warriors on basic/intermediate linux operating system skills.
·      Instructed automation techniques utilizing bash, batch and powershell scripting to survey remote network hosts, network devices and local computers.
·      Developed applications in C and Assembly to demonstrate stack overflow vulnerabilities and proper defensive coding practices.
·      Authored student evaluations based on in-class tasks, formal tests and hands-on performance in active networks for government job-role assessments.
·      Developed and built multiple web-based training modules that provided on-demand remote learning including narration, demonstration, labs and testing.

Dec 2011 - Jul 2015: Analysis Flight Chief, Operator, Planner, Network Warfare Unit
·      Conducted computer network exploitation operations to include characterization, vulnerability scanning, and exploitation to fulfill tailored intelligence needs.
·      Performed in-depth network analysis derived from multi-sourced data and authored operational cyber plans for execution organization-wide.
·      Created and managed the 105 Cyber Combat Mission Team (CCMT) training program that served dozens of members and instructed topics that included network analysis, intelligence, doctrine, operations and critical thinking.
·      Managed Joint Qualification Requirement program that ensured dozens of team members met and maintained qualifications, learned technical skills, and remained current on doctrine and regulations.
Oct 2006 - Nov 2011, Operations Section NCOIC & Operator
·      Performed vast numbers of real-world cyber operations that produced many intelligence products delivered to internal analysts and external customers to include multiple military services, intelligence agencies, the US State Department, and the President of the United States.
·      Performed digital forensics on vast numbers of computers and networking devices that ran numerous operating systems that included Windows 95, Windows 8, *NlX based platforms and various networking systems.
·      Trained dozens of network operators on tools, techniques and procedures for advanced network operations and operational security.

AS — Information Systems Technology, Community College of the Air Force, 2015
SANS Hacker Techniques, Exploits and Incident Handling, 40 hours, June 2014
SANS Security+, 40 hours, October 2013
SANS Reverse-Engineering Malware: Malware Analysis Tools/Techniques, June 2010
SANS Developing Exploits for Penetration Testers & Security Researchers, June 2009
Learning Tree International Certified Ethical Hacker, March 2009
Windermere Digital Interactive Network Operations Course, 480 hours, May 2007
Preliminary Tactical Digital Forensics: Section Zero, 1100 hours, Dec 2007
Prior Air Force Courses: Advanced C & Ada, Oracle 7, Object-Oriented Design, etc.

105 Combat Mission Team, Cyber Fires Planner, 2014
SIGDEV Strategy & Governance, Network Analyst, 2013
Requirements & Targeting, Exploitation Analyst, 2013
Operations Center, Interactive Operator, 2007
Communications Computer System Programmer, 1992-2006

Certified CompTIA Security+, Oct 2013 - Present
Certified Information Systems Security Professional (CISSP), Apr 2009 – 2012 (expired)

Thursday, March 2, 2017

Yahoo Verizon Breach Impact on Future M&A

Executive Summary: Cybersecurity is likely to take another step in developing a quantitative number as to its value to an organization. According to Vanity Fair, Yahoo, a collection of web properties including Flickr and Tumbir), was worth $128B at its peak, was mismanaged, and agreed to be bought for $4.8B. That SEC filing is here. LATIMES reports some analysts do not feel the matchup will work. Now that it is clear Yahoo knew about the data breach before the Verizon acquisition and did not disclose, that is potentially a deal breaker. That SEC filing is here. on 12/15/16 new information indicates that up to a billion accounts have been compromised. Time has an interesting analysis. 3/2/17 The CEO is giving up her bonus and the CLO has resigned.

Because it is the largest known data breach in history, (originally reported as 500M, but MarketWatch and BusinessInsider say potentially 1B (which is starting to be more likely), it is setting up to become "the mother of" all data breach settlements. Forbes points out that poor cybersecurity can lead to lawsuits. Since many people use the same password on multiple systems, one use of the breached data is to brute force the hashes to test on other systems. Threatpost says most of the Yahoo hashes are bcrypt, (potentially expensive to brute force), but a "small percentage" are the outdated, unsafe, MD5.

CEO Marissa Mayer is now out of a job when the merger completes. She does have a handsome severance package. But the new CEO, Thomas McInerney, has a better package. 

Table of contents:
1) What will the financial impact be for Yahoo and Verizon in terms of the merger?
2) What can we expect in terms of Yahoo's stock valuation?
3) What are the general costs of a data breach?
4) What's next for Verizon?
5) Deja Vu. Operation Aurora 2009

1) What will the financial impact be for Yahoo and Verizon in terms of the merger? The $4.8B deal for at least 800M accounts was supposed to close 1qtr 2017. That means we should know fairly soon. Currently experts are divided. 10/26/16 Fast Company posted an inscrutable article about an interview with Verizon executive Marni Walden that seems to imply there isn't a clear direction.

1.1 Some say the merger will be damaged or the price will change:

Yahoo has now disclosed Verizon may back out of the deal. To make matters worse, there may be another data breach to deal with. Inquisitur reports, (via CNN), that hacked data was sold in three different $300,000 deals and that Verizon is renegotiating. One legal professor is predicting this could set a precedent that will be taught in law schools. 1/5/17 A Verizon executive states they are not sure what they are going to do. USA Today, "They (Verizon) are going to get a price discount. 

10/6/16 a story, (based on a NY Post exclusive), broke on USA today that Verizon was asking for a $1B discount. 12/16/16 Fortune reports they are asking to reprice Yahoo's assets. 1/24/16 the situation is delaying the deal.

The Wall Street Journal reports Verizon CEO "Mr. McAdam, speaking at a technology conference in Menlo Park, Calif., on Monday, said he still sees Yahoo as “a real value asset,” but added: “In fairness we are still understanding what was going on and defining whether it was a material impact on the business or not.

CNBC reports Verizon CEO Lowell McAdam saying "he was "not that shocked" about a Yahoo data breach where the information from 500 million users was stolen, saying it was not a matter of if, but when.

10/13/16 The Wall Street Journal reports "[Verizon]General Counsel Craig Silliman said it was “reasonable” to believe that the breach represented a material event that could allow it to change the terms of the takeover. 

“If they believe that it’s not, then they’ll need to show us that,” said Mr. Silliman, who has been leading Verizon’s review of the situation."

10/18/16 Chicago Tribune reports earnings have faltered for four consecutive quarters.  The condensed financial information is here. CNBC points out they did profit and beat analyst consensus. Investorplace believes that since Verizon earnings are pretty flat in the highly competitive wireless marketplace, they need Yahoo and a reduced price would be a bonus. 10/23/16 WSJ reports that AT&T, (also suffering from flat earnings and competition from Sprint and T Mobile) is making an offer for Time Warner.

10/20/16 WSJ reports Verizon is revisiting the deal. Chicago Tribune quotes Verizon CFO Fran Shammo saying "Material Impact".

1.2 One possibility is that it will have no impact on the deal or even the selling price, NY Post reports, "Some experts said it would be hard for Verizon to prove the hacking was a material adverse change — the one surefire legal gambit that could scuttle the deal."

  The NY Times reports, "Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.

“They could say, ‘This thing is huge. We want to walk away from the transaction,’” he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo.

Such claims can be difficult to prove in court. According to Mr. Quinn’s reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information."

Fortune reports, "Nonetheless, it would be very tough sledding to get a Delaware court to agree a so-called material adverse event had occurred, particularly given that evidence of reduced usage and related revenue declines, for example, would not be immediately available for quite some time."

11/17/16 Investopedia reports AOL is getting ready to lay off part of their sales force, which industry analysts claim indicates the deal will go through.

1.21 When Yahoo knew has a large impact on the deal!

Yahoo has now disclosed they knew about the compromise before the Verizon deal. That puts all the cards in Verizon's court.

Quartz discusses whether Yahoo did or did not know about the breach they announced in September back in July, "In July, a well-known hacker who goes by the name “Peace” told Motherboard that he possessed 200 million Yahoo user details, which were going for 3 bitcoins a pop on a darknet market called TheRealDeal. Yahoo confirmed that it was “aware” of the claim at the time. 

This is the incident that Mayer was aware of in July, as the FT’s anonymous source says: “Marissa was aware absolutely—she was aware and involved when Peace surfaced this allegation in July,” according to the source.

The attempt to verify Peace’s claim then led Yahoo to discover the latest breach, of 500 million user records, according to the FT. Yahoo has attributed this hack not to Peace but to a “state-sponsored actor.” What’s not clear now is when Yahoo discovered the confirmed breach. It seems a safe bet that this discovery happened sometime after Peace made his claims in late July, which is also after the Verizon deal was clinched, on July 25."

NY Post, "Yahoo would have to pay some $145 million if the deal somehow falls apart and it is to blame. While the hack is “upsetting,” it isn’t clear “it is a material adverse change,” one big Yahoo shareholder told The Post."

What is unique in this case is that Verizon has a fairly advanced cybersecurity division. They are uniquely suited to investigate and determine the potential impact to the deal. That said, they have recently suffered their own breachA recent thread posted on a guarded cybercrime forum advertised a database containing contact information for roughly 1.5 million Verizon Enterprise customers for sale at $100,000 for the lot.

10/13/16 Business Insider reported "CEO Marissa Mayer kept secrets from key members of the security team".

1.4 When there is blood in the water sharks are sure to come. Many times when a company is in trouble, other allegations surface. Some of these are inevitable, others are lawsuits and similar hoping the company in trouble will settle.

1.4.1 Further damage by NSA spying news breach, 10/5/16 Reuters released a story that Yahoo searched incoming emails for US intelligence purposes. That would seem to be at odds with Yahoo's transparency policy. Slashdot reports, "The two former employees say that the decision Yahoo CEO Marissa Mayer made to obey the directive resulted in the June 2015 departure of CISO Alex Stamos, who left to work for Facebook." A Google search on 10/6/16 for "yahoo scanned emails" yielded 5.46M results. Fortune reports this could cause trouble with European customers. PredictWallStreet still does not appear to have priced the damage since the breach disclosure; 76% of the responders expect the price to go up. This is inline with the NSADAQ consensus of BUY. 10/5 and 10/6 YHOO closed at 43.71 and 43.68. EFF reports the specific instructions the government gave Yahoo may have to be disclosed. "Section 402 of the USA FREEDOM Act, passed in June 2015, specifically requires government officials to “conduct a declassification review of each decision, order, or opinion issued” by the FISC “that includes a significant construction or interpretation of any provision of law.” The Yahoo order would appear to fall squarely within this provision."

1.4.2 Mercury News reports Scott Ard a former executive that was fired has filed a lawsuit against Yahoo, because Marissa Mayer systematically sought to remove male employees.

1.4.3 Fortune reports Access Now, (international civil rights group) is interested in the email scanning issue.

1.4.4 NY Post has a fact free article that "Marissa Mayer’s days appear numbered as her company disappears"

2) What can we expect in terms of Yahoo's stock valuation? I have been pouring over the financial analysts reports and they seem to be oblivious to the impact of the breach, but I expect that will change. Is the bad news already priced into the stock price?  This may be an exception to an efficient market. After the merger announcement YHOO drifted up to 44.71 on September 6. Now, it is obviously drifting down, and closed September 26 at 42.29. That isn't necessarily surprising, not all data breaches have the impact that Target's did, (profits YoY -40%, earnings YoY - 46%, EPS $.81 down from $1.47, share price from about 70 to 56 now almost back to 70).

However, this is the mother of all data breaches. It is possible there isn't a quant model for something of this size.  According to Yahoo Finance :), 52 week range is 26.15 - 44.92 and 1 year target is 42.75 where they already are. So there is a lot more room for downside than upside.

11/10/16 My prediction is that the quant models will start to be adjusted. The first chart shows an 18% increase for the year. The expectation they will be acquired must be driving that, because revenues certainly are not. But in the past month they are down my 8%, (second chart).  Also look at the trading spikes along the bottom, that can only happen with computer driven trading.

3) What are the general costs of a data breach? The IBM Ponemon 2016 study on data breach costs is probably the most authoritative. According to the study, the average cost is $4M, (compared to Target's 252M before insurance and tax write offs). The cost has increased 29% since 2013. In the United States the average cost per capita is $221, (221 x 500k = 110.5B more than 4x Target's final cost to top-bound this though free/non-revenue accounts arguably have lower value.).

USA Today has what I consider a more reasonable guesstimate, ""I would [ask for a pause] if I was the buyer," said Chris Bulger, founder of Boston tech advisory bank Bulger Partners. "I would consider this a materially adverse change (a factor that could allow a party to back out of a sale) until my lawyer said don’t worry about it."

Bulger estimates that Yahoo will likely have to pay at least $10 per user in reparations. That could amount to $5 billion — more than Verizon's $4.8 billion paying price — making Yahoo "worthless," he said."

3.1 Non-revenue doesn't necessarily mean free or of low value. A deal struck with AT&T 15 years ago allowed Yahoo users to manage their AT&T accounts from Yahoo mail. According to CNET, "The hack puts AT&T in an uncomfortable position. The company is still waiting for data from Yahoo on the specific customers who may have been affected, according to a person familiar with their dealings.

"We began investigating immediately and requested information from Yahoo necessary to determine which email accounts may have been compromised," the company said in a statement. "In the meantime, we are in the process of notifying potentially affected customers.""

3.2 Class action Law suits. The Hill reports a class action suit was filed in California.  USA Today reports two more. The Home Depot settlement, (50M users) was $19.5M, (less than forty cents per user). Target was $39M for 40M users. CNBC references a suit claiming gross negligence.

3.3 SEC investigation and/or fines.  In June 2016, the SEC announced Morgan Stanley agreed to pay $1M over an insider data breach of 730,000 customer accounts, about $1.37 per account.  Assuming that ratio, Yahoo's potential liability could be $685M.

3.3.1 SEC rules may need to be clarified, Reuters, "And the vagueness of SEC's 2011 rules on disclosure and its failure to enforce them are drawing equal attention, privacy lawyers and cyber security experts said."

3.4 Cost of business disruption. Fortune ran a Reuters story saying "many users" closed their Yahoo accounts. The number of active accounts presumably was a factor in the valuation, (on July 15 Yahoo started closing accounts that had not been used in a year). OCT 10 2016 ET reports that they disabled forwarding, so users have to use Yahoo to read their mail.

NOTE: Closing your Yahoo account may be more complex than you might guess. warns you could lose your other Yahoo services like Flickr and the account will still accept email for 90 days. SecurityWeek and TrendMicro disclosed changing the Yahoo password does not prevent your iPhone mail from accessing Yahoo because it has a permanent access credential.

According to Investopedia, "Yahoo’s core business has been slowly declining as the PC advertising and search engine space has come to be dominated by the likes of Google Inc. (GOOG) and Amazon (AMZN)." Depending on who you ask, recode, PR News, Marketing Land, Bloom Reach,  somewhere between 44% and 55% of all online product searches begin with Amazon.  After the breach, it is likely less people will use Yahoo.

3.5 Cost to diversity. Women executives have been leaving the company, no one is sure what. Reuters reports "Women leaders organically left because other opportunities were more appropriate for them," said Margenett Moore-Roberts, Yahoo's global head of diversity and inclusion. She said most of the women executives who left did so voluntarily after the plan to sell the core company was announced.

4) What's next for Verizon?

If Materially Adverse Change
          Price reduction OR Verizon walks away, (and possibly makes an offer for Twitter*)
          It is going to be a long winter for Verizon

* Fortune magazine reports Twitter will probably be bought at around $27 per share. 10/23/16 maybe not it closed on Friday at 18.09 and can't seem to find a buyer. Motley Fool reports declined to make an offer.

4.1 This may be a blessing, combining AOL and Yahoo seems a bit like bows and arrows against modern weapons. Quartz has a pre-breach article claiming the merger will not end well.

5) Deja Vu. Operation Aurora 2009

Wikipedia reports Yahoo was targeted by Operation Aurora in 2009. Multiple sources, Darkreading, Security Affairs, Nextrio, mention they were targeted, but the impact is sketchy. SANS NewsBites reports, "A number of foreign journalists based in China are claiming their Yahoo email accounts have been hacked. The Foreign Correspondents Club of China (FCCC) has confirmed that eight journalists have had their Yahoo email accounts hacked including one that had a forwarding address added to the account. Yahoo has made no direct comment regarding the claims and says that it is "committed to protecting user security and privacy." Earlier this year the Google mail accounts of Chinese dissidents were targeted in an attack on Google. The FCCC is advising users to take care when using email, especially for sensitive issues, and warning people that "email does not appear to be secure in China, and that alternate means of arranging interviews and conducting other sensitive business are often preferable". "

Wednesday, January 18, 2017

Defending Defense Contractors (recruiting)

I received an email that I have edited for clarity:

= = = 

There is a vulnerable HR process in the workflow of most DoD contracting firms around the beltway.

I can't tell you how many recruiters cold call me with an open position that may or may not be funded.  In the old days, you would come in for an interview and meet the FSO, (Facility Security Officer) to process your JPAS, (Joint Personnel Adjudication System..  For some firms, this is too expensive now.

As the potential victim to ID theft schemes we should consider an alternate approach.

We should have better tools to validate these DoD contracting recruiters.

Do you know of any like minded souls interested in embarking on a journey to defend "The Defense Contractor" ?

= = = 

It seems like a good point for several reasons. So my question, especially to the recruiters in my network is what are the characteristics that make a DoD contracting recruiter trustworthy?

Thursday, December 22, 2016

Job Opportunity - Cloud Security "Special Forces"

I do not usually post non GIAC focused job postings and have deep concern with the use of "Special Forces", but it sounds like an interesting job so here is the link:

Monday, December 5, 2016

CISO - In project planning define what "it" is

I reviewed project plans from four teams of really smart technical people today and after doing so, I am a bit troubled. One of the big problems in cybersecurity is that management is not convinced cyber-techies have any idea of what they are doing. Management may be right.

Two of the plans were, to be kind, minimalistic. Maybe a half page of cryptic notes. The third looked like a government RFP with 12 pages of writing for a 100 hour effort and the forth struck a balance between using as much paper as possible and actually laying out the work breakdown structure.

All four plans had the same serious flaw. They did not put any effort in defining what "it"is. This is one of the classic communication failures. The boss knows, (or at least thinks), she knows what she wants. So she directs her team, "build me a framus". So they go to work to build a framus, but they don't wait to define what "it" is. The most common definition of course is a vintage stringed instrument. However, for people familiar with the space program and that still have a moonshot flight jackets with the mission patches know it can be a synonym for a gizmo, or gadget, or more recently app or chatbot.

This is not a new problem, everyone has heard of garbage in - garbage out. However, hearing about a thing and dealing with it well are separate issues.

The good news is that this was not an effort to deflect an asteroid from striking the earth. All four were graduate level programs to increase the documented level of cybersecurity defensive information.

The bad news is the first week of the assignment is dedicated to the planning part. If we are dedicated to creating the next generation of cybersecurity leaders, we are going to have to solve the problem of teaching them to define what "it" is or we will end up with every imaginable framus.

Wednesday, November 23, 2016

Detecting indications of compromise while decreasing response time

Detecting Indications of Compromise and Decreasing Response Time
ISE 6100 – Security Project Practicum – CIO Report
Authors: Gordon Fraser,
Tobias Mccurry,
Wesley Earnest,
Advisor: Stephen Northcutt
Accepted: November 23, 2016


GIAC Enterprises, a small to medium sized business specializing in Fortune Cookie sayings, is faced with the risk of its intellectual property being compromised.  One of the most common vectors used by attackers to gain access to this intellectual property via phishing emails which lure users into executing malicious programs on their computers.   To address this risk, GIAC’s CIO established a tiger team to investigate and examine ways to streamline the incident response process.  Research shows that only 3% of users report possible phishing emails (Verizon, 2016). Because of this gap, the team focused on ways to automate detection.  The team also looked for ways to decrease the amount of time it takes for an analyst to respond to a suspected incident.  The proposed solution combines open source tools, Bro and Cuckoo, to analyze incoming email attachments and escalate only the attachments that deemed suspicious to the SOC Analyst.  The proposed solution also includes updates to GIAC’s incident response procedures to quickly identify compromised systems using indicators of compromise.

1.   Introduction

GIAC Enterprises, a small to medium sized business specializing in Fortune Cookie sayings, is faced with the risk of its intellectual property being compromised.  One of the most common vectors used by attackers to this data is phishing emails which lure users into executing malicious programs on their computers.  To address this risk, GIAC’s CIO established a tiger team to examine the following use cases:
·      Users receiving a phishing email with a malicious attachment.
·      Users receiving a phishing email with a malicious URL.
·      Drive-by attack resulting from a user visiting a malicious web site.

1.1.      Current Environment

GIAC’s current detection and response processes require many inefficient manual steps which are unnecessarily burning incident response cycles.  The current detection process relies heavily on the end user notifying the security team of suspicious emails.  The Security Operation Center (SOC) analyst needs to extract the suspicious attachment, upload it to the sandbox, and wait for analysis to finish. However, research shows that only three percent of users report possible phishing emails (Verizon, 2016).  Because of this gap in the detection process, the team focused on ways to streamline and automate previously documented incident response steps.
The team also looked for ways to decrease the amount of time it takes for an analyst to respond to a suspected incident.  In the current process, the email administrators notify the SOC analysts of the individuals who may have read or opened the email.  The SOC analyst would then take whatever action was necessary.  Per the Verizon 2016 Data Breach Report (Verizon, 2016) 30% of people who receive a phishing email open it.  Only 12% of the recipients opened the malicious attachment or clicked on the link.  Quickly identifying the individuals who took the phishing bait would significantly reduce the scope of the investigation and time to resolution.
GIAC Enterprises recently implemented a pilot SIEM utilizing AlienVault’s Open Source Security Information Management (OSSIM) product to improve situational awareness and visibility by correlating log files and security events.  Based on our team’s research and conversations with AlienVault, neither OSSIM nor AlienVault’s commercial solution Unified Security Management (USM) is designed to proactively examine files for malicious behavior.  It can only detect the malicious activity once the compromise has happened.  To protect GIAC’s intellectual property, a more proactive and automated solution must be implemented to mitigate the risk posed by these use cases.

2.   Proposed Solution

Based on the scenario of a phishing email leading to ransomware, the team focused its research efforts on points in the existing process that could be performed proactively or automated to improve the efficiency of the SOC Analyst’s time.  The proposed solution combines open source tools, Bro and Cuckoo, to analyze incoming email attachments and escalate only the attachments that deemed suspicious to the SOC Analyst.  According to AlienVault, “You cannot stop ransomware [...] detecting [ransomware] within a timely fashion gives you the chance to respond effectively.” (AlienVault, 2016).  The proposed solution also includes enhancements to GIAC’s incident response procedures to handle potential incidents.  Figure 1 shows the workflow of the proof-of-concept built during this project.
Figure 1: Proposed Solution Workflow
1)    Monitor network traffic (incoming SMTP traffic and outbound HTTP requests). 
2)    Parse SMTP and HTTP traffic with Bro and extract all files (based on configured list of MIME types) and URLs of interest.
3)    Extracted files are saved on the Bro server.  A service monitors for new files in a directory.  When a new file is detected, a script will copy the file to the Cuckoo server for analysis.
4)    Cuckoo server has a directory that is being watched for new files to analyze.  When a new file is detected in the directory, Cuckoo analyzes the file and generates a text output.
5)    A script parses the Cuckoo output.  If no outbound network connectivity is detected, the file is considered benign and discarded.  If outbound network connectivity is detected, then the file requires further analysis.  An Analyst Report text file is created and sent to the Bro server.
6)    On the Bro server, a script runs for each Analyst Report file which parses the Bro logs for the details of the HTTP connection or the SMTP email (to/from/subject) and appends a set of Powershell scripts to the Analyst Report file. 
7)    The Powershell scripts can be used to search through the Exchange server mailboxes based on: 
a.     Messages that contain either the same sender, subject, or attachment.
b.     Archive and/or delete the message containing the suspect file.
8)    Notify SOC analyst of the new Analyst Report for further review and initiate the incident response process if necessary.
9)    Create a ticket in OSSIM to track the analysis of the suspicious file or URL, and any remediation effort.

2.1.      Streamlining Incident Response Process

To efficiently streamline the incident response process, the team identified three sources of network data to include DNS logs, netflows, and full packet capture. PassiveDNS logs DNS requests and responses.  The nfdump suite of tools helps capture the netflow data, which is a summary of network traffic. Tcpdump is used to collect full packet captures. 

3.   Use Case Validation

The team constructed a lab environment to conduct simulated attacks. To test the first use case, a phishing email with a malicious attachment, an email was sent with a word document that contained a Visual Basic script that executed a malicious payload that connected back to the attacker’s machine. The second and third use cases, a phishing email with a malicious URL and drive-by attack, was tested by sending an email that contained a link to a web site that compromised the browser, connected back to the attacker, downloaded and executed a malicious payload. 
The Analyst Report was generated due to the outbound connection initiated by the word document and separately the drive-by attack. Bro appended details from the original vector and the Analyst Report to help with eradication portion of the incident response process. The eradication phase was validated by using the Powershell scripts generated from the details provided in the steps above. These scripts removed the malicious emails from any users’ inboxes.
Given the indicators of compromise from the Analyst Report, we quickly identified the systems that were compromised.  This would support the incident response team during triage and allow them to focus their efforts on those systems which pose the most risk to the organization. During testing, full network traffic was captured for analysis. 

4.   Conclusion

This new workflow provides a much more comprehensive solution to dealing both phishing emails and attachments and files downloaded via HTTP.  Bro and Cuckoo working together showed promise in detecting potentially malicious files.  Using the DNS logs, netflow data, and full packet captures proved valuable in streamlining the identification of compromised systems. 

4.1.      Future Enhancements

There are several aspects within this proof-of-concept that could be enhanced during future phases of this project.  First, this proof-of-concept is currently only able to rule out benign files based on the absence of outbound network connectivity.  If only 3% of suspect files are currently being reported by end users, it is likely that promoting this new process to production will substantially increase the SOC analyst’s workload.  Further research is needed to improve the quality of detection capabilities in Cuckoo.  One such approach may be YARA.  YARA is a tool that could be integrated with Cuckoo to identify and classify malware (YARA, 2016).
Integration with Exchange is another area where the process could be further streamlined. Removing the manual process of the identifying users that received the email via Powershell would be beneficial. Execution of the Powershell scripts could be automated and the output included in the Analyst Report.
The integration with OSSIM could also be enhanced to provide the SOC analyst with additional visibility into the environment by creating custom plugins and correlation directives with the log data from Bro, Cuckoo, and Exchange. Creation of incident tickets could be automated to help raise awareness to a possible incident.
Like all intrusion detection systems, this new process is still limited to the traffic it can monitor.  Encrypted files, secure email, and HTTPS websites would require SSL/TLS termination at the border for the network monitoring tools such as Bro and nfdump to work.


AlienVault. (2016) Detect Ransomeware Before It’s Too Late with AlienVault USM. Retrieved October 13, 2016, from
Verizon. (2016) 2016 Data Breach Investigations Report. Retrieved October 5, 2016, from
YARA. (2016) YARA in a nutshell. Retrieved October 7, 2016 from